diff --git a/CHANGELOG b/CHANGELOG
index 713b785..f318ac0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+version 2.91
+	Fix spurious "resource limit exceeded messages". Thanks to 
+	Dominik Derigs for the bug report.
+	
+
 version 2.90
 	Fix reversion in --rev-server introduced in 2.88 which
 	caused breakage if the prefix length is not exactly divisible
diff --git a/src/forward.c b/src/forward.c
index 32f37e4..10e7496 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -937,10 +937,10 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
 	status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class, 
 				       !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC),
 				       NULL, NULL, NULL, &orig->validate_counter);
-    }
 
-  if (STAT_ISEQUAL(status, STAT_ABANDONED))
-    log_resource = 1;
+      if (STAT_ISEQUAL(status, STAT_ABANDONED))
+	log_resource = 1;
+    }
   
   /* Can't validate, as we're missing key data. Put this
      answer aside, whilst we get that. */